alt Hacker NewsThe industry standard for the best peace of mind is for ALL dependencies to be pinned, both the lockfile and the dependencies.
Upgrades are done manually and all characters such as "^", "*", next to the version are removed for a fixed predictable version to avoid unexpected version bumps or package hijacked in-case if they are compromised.
> The industry standard for the best peace of mind
I read about "industry standards" in software and never see them in the wild.
Odd to assume your own direct experience is uniformly distributed belief.